Knowledge Base::DBSA:2014-0012

Views

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Classification

Rationale: Immediate action is necessary to keep information secured against third party threats.

Severity: HIGH

Rationale: Vulnerabilities can disclose passwords for other services, to which there often is no solid mitigations a user can perform.

Spread of Issue: MULTI-PLATFORM MODERATE

Rationale: Services provide browser extensions on multiple platforms, there are substantial number of users of these services.

Description

Multiple password management solutions have been evaluated and revealed to contain web-based exploits that may result in passwords for third party services being revealed. Among these services evaluated are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. These services however are not the only online unified credential management services that could contain these issues.

The issue at hand specifically is that an attacker may utilize weaknesses in the services' software or the like to leverage access into passwords for services, including email passwords, online shopping and banking passwords, workplace credentials for remote access, identities, among other services that users value.

Mitigation/Solution

Users of these online password manager services are advised to remove all information from the services and discontinue use of these services if at all possible and to treat similar services as potential risks. Passwords should be memorized to maximize security but in the absence of such memorization it is advised to use local password managers that do not use an online account or storage of any kind. The preferred secure method to manage a password database is to maintain a text file that is encrypted and when the database is in use and is unencrypted to ensure there is not a third party observing the database.

Password entry should not be automatic and should require manual use to enter passwords to avoid attempts by attackers to trick automatic entry for phishing purposes.